What the hell are we waiting for?!?
Posted by Anup Ghosh on March 16, 2011 in Uncategorized
I’ve heard it discussed by security pundits, some of those within the mainstream press, former White House and Intelligence Community officials, and even certain folks on the Hill on many an occasion – the notion that a seminal event likened to a “Digital Pearl Harbor” or “Digital Katrina” is needed before any significant sweeping changes will occur in InfoSec. The unfortunate reality is that while the Hill and Big Business wait for a “Digital Pearl Harbor” to take InfoSec seriously, we are suffering under “Digital Chinese Water Torture” or perhaps “Death by A Thousand Cuts.” Every day that passes without sweeping change in how we engineer our systems to be secure vs. servicing the problem, means another drip here, another cut there and irreparable losses occurring across industry and government as our networks are pillaged and looted.
We all know the old adage with respect to news – if it bleeds, it leads. Ten years ago, it was hard to get people to wake up to the InfoSec threat. Ironically, we’ve now become so accustomed to security breaches, zero day malware in popular desktop apps, and white knuckle inducing research statistics reported in mainstream news literally every day, we are hardly moved to action by it. For example, just the other day, Meredith Viera reported on the Today Show, about “unwitting accomplices” being used to distribute illicit content because they failed to secure their network. Last week, a research group published a study that concluded an average Internet user has a 95% likelihood of encountering a malicious web site in a 3-month period. And not to be outdone, the Ponemon Institute reported the average cost of a data breach of customer records is $7.2M in 2010 for businesses.
Caught within the deluge of daily news of how InfoSec is not working, it can be hard at times to think strategically about the problem and solution space for InfoSec. Instead, as an industry we react to today’s threats with yesterday’s solutions, or as they are fond of saying in the military, we are fond of fighting the last war (with the implication of using the tactics and tools of the last war) rather than the current one. And please do not mistake the analogy as a declaration we are in a cyber-war…not going there with this post.
So are we caught in analysis paralysis, are we desensitized to the bleeding that’s going on, or do we have a helpless feeling this is just a phenomena that happens to us and we have no control over it? I suspect it is some of all of these, but it’s helpful to take a step back and look at the big picture and think strategically about InfoSec.
The Big Picture: Frankly, we’re getting our collective asses kicked and there is a system wide issue we have to address to turn the tide back in our favor. Nobody is immune to the scourge InfoSec experiences…not across the Intel, Defense or Civilian sectors of government and if this statement from Steven Chabinsky – Senior Advisor to the Director of National Intelligence is to be believed “It appears that every industry is being victimized by intrusions”…not across any of our private sector verticals either.
We’ve talked about the Security Insanity Cycle previously and the drain on business dollars and resources to support the cycle and service the problem rather than addressing it head on. So we’ll spare you the soap-box on that issue in this post and invite you to read at your leisure.
We were recently asked by a mainstream reporter to tell us what we thought about the “Web annoyances” that users encounter day-to-day…and after knocking another couple of head-sized holes in the walls of Invincea HQ, we realized we still have much work in front of us. Isn’t it obvious that what the average user encounters is much more than an annoyance factor?
By virtue of writing a piece on the state of InfoSec, we are bound to be criticized by others in the industry or propagating FUD – or fear, uncertainty and doubt. So rather than respond to the FUD accusations in the comments section, let’s take it head on with a game of Fact or FUD.
Fact or FUD #1: The user is encountering a potential man-in-the-browser banking Trojan that will surreptitiously transfer funds from their personal accounts
Fact or FUD #2: The user is encountering a potential nation state intent on stealing national secrets
Fact or FUD #4: The user is encountering potential for a massive financial risk to the organization
Fact or FUD #5: The risk we face today is a systemic risk to competitiveness on the global scale – and as such a national security concern.
We’ve also documented our core belief in recent byline articles – that the user is the unwitting accomplice, the primary target for our adversaries, and security teams are complicit by their inaction. Gone are the days of trying to brute force into corporate and government network infrastructure through corporate firewalls…all one must do now is prey on human psychology, use social networking to join the victim’s social network, bank on the fact that our security defenses are based on the last threat not the current one, and ask the user to lower the bridge and invite the adversary in.
Believing all of the above to be Fact not FUD, we believe the security industry needs to put the user in a protective disposable bubble whenever he or she comes in contact with untrusted content from the InterWebs…and EVERYTHING on or coming through the InterWebs should be viewed as untrusted content.
To maintain a trusted environment – desktop and network — the user’s interaction with the untrusted content needs to separated or compartmented from his or her physical machine. The goal of malicious content is to change the trusted environment. Using advances in virtualization and today’s commodity hardware we can create on-demand a separate disposable operating system for the applications that run untrusted content. This way when the untrusted content turns out to be harmful, it will change our disposable operating system rather than the user’s trusted operating system. Better yet, instrument that disposable operating system with sensors that detect when the environment changes, e.g., when a user clicks on a malicious link unsuspectingly, is hit by drive-by attacks, or opens a document that contains malicious software. When something causes a change in the environment, whether it is through user mistakes or malware intentions, the sensors trigger, the environment is disposed, actionable forensic intelligence on malware is captured, and the user is back up and running in a matter of seconds.
Now turn the thousands or tens of thousands of vulnerabilities in the network (i.e. users) into an asset – turn them into part of a real-time, zero-day, enterprise malware protection network – and you get real actionable intel you can use to block attacks as well as detect where else in your network you may already be compromised. Don’t throw away any of the signature based cyber security solutions you’ve already invested in – these become the reference libraries for this newly found forensic intelligence. Feed the infrastructure and expand its usefulness – narrow the gaps.
The user – whether at home or at the office – is the target. We now need to change the game from blaming users…and instead focus on protecting the network from the user the user from himself or herself.
It is more than just an issue of preventing annoyances, it isn’t just FUD, it’s a matter protecting our assets from people who don’t have a right to them and having assurance we are operating on a machine and through a network that has not been compromised. We need to stop waiting for a “Digital Pearl Harbor” as we die by a thousand cuts.
Our time is NOW. Let’s get moving. What the hell are we waiting for?